An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000. Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company.

The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.

OK, that would be bad enough, but as I read the enforcement notice, I see that Pharmacy2U is an NHS-approved online pharmacy that is registered with the General Pharmaceutical Council and the Care Quality Commission. It provides an electronic prescription service, an online Doctor service, and an online retail of over the counter medicines and health and beauty products.

In order to access the service, patients must sign up and provide their name, sex, date of birth, postal address, phone number and email address. Users can opt out of marketing materials, but to do so, they have to login to their account and change the default settings. They seemingly could not just opt-out at the time of sign-up.

Nowhere in the registration or opt-out material did it inform patients that their information might be sold to third parties.

Pharmacy2U entered into an agreement with Alchemy Direct Media in October, 2014. The terms specified that Alchemy would seek prior approval from Pharmacy2U in relation to any promotional materials it wished to use to promote the data and that all potential clients had to be approved by Pharmacy2U.

Over the next few months, Alchemy rented Pharmacy2U database lists to three entities. In each case, the rental was approved by a senior executive at Pharmacy2U.

But because patients had not been properly informed that their data might be sold to third parties, the ICO found Pharmacy2U in contravention of the Data Protection Act.